Hackers cause a power cut for the first time, say researchers

It is believed the attacks that caused the blackout were the work of a group dubbed 'Sandworm'

Andrea Peterson
Wednesday 06 January 2016 04:57 EST
Comments
Experts warn that, while is easy to come to conclusions about cyberattacks, it can be very difficult to pin down who was responsible
Experts warn that, while is easy to come to conclusions about cyberattacks, it can be very difficult to pin down who was responsible (Getty)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Hackers caused a power outage in Ukraine during holiday season, researchers say, signalling a potentially troubling new escalation in digital attacks.

"This is the first incident we know of where an attack caused a blackout," said John Hultquist, head of iSIGHT Partner's cyberespionage intelligence practice. "It's always been the scenario we've been worried about for years because it has ramifications across broad sectors."

Half of the homes in Ukraine's Ivano-Frankivsk region were left without power for several hours on December 23rd, according to a local report that attributed the blackout to a virus that disconnected electrical substations from the grid. Researchers at iSight on Monday said their analysis of malware found on the systems of at least three regional electrical operators confirmed that a "destructive" cyberattack led to the power outage.

Electrical outages can lead to ripple effects that leave communities struggling with things like transportation and communication, according to security experts who have long warned about the potential for cyberattacks on the power grid.

In this case, the attackers used a kind of malware that wiped files off computer systems, shutting them down and resulting in the blackout, Hultquist said. At least one of the power systems was also infected with a type of malware known as BlackEnergy. A similar combination was used against some Ukrainian media organizations during local elections last year, he said.

A blog post from cybersecurity company ESET also reported that BlackEnergy malware helped deliver the destructive component "in attacks against Ukrainian news media companies and against the electrical power industry."

While ESET's analysis showed the destructive element was "theoretically capable of shutting down critical systems," it said BlackEnergy malware's ability to take control of a system would give attackers enough access to take down the computers. In that case, the destructive element may have been a way to make it harder to get the systems up and running again, according to ESET.

Hultquist believes the attacks that caused the blackout were the work of a group iSight dubs "Sandworm" that the company previously observed using BlackEnergy. In a 2014 report, iSight said the group was targeting NATO, energy sector firms and U.S. academic institutions as well as government organizations in Ukraine, Poland and Western Europe.

"Operators who have previously targeted American and European sensitive systems look to have actually carried out a successful attack that turned the lights out," Hultquist said.

He described the group as "Russian," but declined to connect it to a specific government or group. Other destructive cyberattacks in the past have been attributed to government actors - such as attacks on Iranian nuclear facilities thought to be the result of a collaboration between the U.S. and Israel, or the Sony Pictures entertainment attack blamed on North Korea.

But experts warn that, while is easy to come to circumstantial conclusions about cyberattacks, it can be very difficult to pin down who was responsible - or even what exactly happened. And there have been false alarms about cyberattacks on infrastructure in the past.

In 2011, experts said that a pump failure at an Illinois water plant appeared to be caused by foreign hackers. However, it was later reported that there hadn't been any malicious activity: Instead, a remote login to the plant's computers systems from a contractor traveling in Russia was mistakenly connected to the issue.

"It's easy to assume this threat actor is controlled by the Russian government and they intentionally shut down power in this region in Ukraine, but evidence to prove that conclusion is very difficult to obtain for various reasons," said Tom Cross, chief technology officer at cybersecurity firm Drawbridge Networks.

The picture can often become clearer as more information trickles out, but the public and even some of those investigating may not be operating with all the facts, according to Cross.

"When a plane crashes, the FAA publishes all of the details about the incident. That makes sense because we pilots want to know what to do to avoid the next crash," he said. "In our industry, when something like this happens, some information comes out and some doesn't."

Not everyone necessarily has an interest in fully disclosing the attacks because it might embarrass them or give new information to attackers, Cross said. But he argues that the more people know the details about the attack, the better the security industry can prepare for the next one.

"People should operate with an abundance of caution and assume the threat is real while demanding technical detail and evidence," he said.

Assuming that the hackers did take out the power in Ukraine, there was a silver lining, according to Cross: The grid seems to have rebounded quickly.

"The world didn't end here - they did get power back up," Cross said.

Washington Post

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in